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Abstract. On March 2004, Anshel, Anshel, Goldfeld, and Lemieux intro- 
duced the Algebraic Eraser scheme for key agreement over an insecure channel, 
using a novel hybrid of infinite and finite noncommutative groups. They also 
introduced the Colored Burau Key Agreement Protocol (CBKAP), a concrete 
realization of this scheme. CBKAP resisted cryptanalysis for four years. 

We present general, efficient algorithms, which extract the shared key out of 
the public information provided by CBKAP. These algorithms are successful 
for all sizes of the security parameters, assuming that the keys are chosen with 
standard distributions. 

Our methods come from probabilistic group theory, and have not been 
used before in cryptanalysis. In particular, we provide a simple and very 
efficient heuristic algorithm for finding short expressions of permutations as 
products of given random permutations. Our algorithm gives expressions of 
length 0(n^ log n), in time 0{n'^\ogn) and space O(n^logn), and is the first 
practical one for n > 256. 

Remark. Algebraic Eraser is a trademark of SecureRF. The variant of CBKAP 
actually implemented by SecureRF uses proprietary distributions, and thus 
our results do not imply its vulnerability. 



1. Introduction and overview 

During the last decade, starting with the seminal papers [H [10], attempts 
have been made to construct and analyze public key schemes based on non- 
commutative groups and combinatorial (or computational) group theory. The 
obvious motivation is that such systems may provide longer term security, and 
may (unlike the main present day public key schemes) be resistant to attacks by 
quantum computers. Moreover, these connections between combinatorial group 
theory and cryptography lead to mathematical questions not asked before, and 
consequently to new mathematical discoveries. 

In this paper, we study a scheme falling in the above category, whose crypt- 
analysis leads to an algorithm with interest beyond the studied scheme. 

The Algebraic Eraser key agreement scheme was introduced by Anshel, Anshel, 
Goldfeld, and Lemieux in the workshop Algebraic Methods in Cryptography held 
in Dortmund, Germany, on March 2004, and in the special session on Algebraic 
Cryptography, at the Joint International Meeting of the AMS, DMV, and OMG, 
held in Mainz, Germany, on June 2005. It was subsequently published as [2]. 
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Apart from its mathematical novelty, the Algebraic Eraser has a surpris- 
ingly simple concrete realization, the Colored Burau Key Agreement Protocol 
(CBKAP), which consists of an efficient combination of matrix multiplications, 
applications of permutations, and evaluations of polynomials at elements of a 
finite field. Despite its being brought to the attention of both the cryptography 
and the computational group theory communities, no weakness was identified in 
CBKAP in the four years which have passed since its introduction. 

We present an efficient attack on this scheme, which recovers the shared key 
out of the public information, for all sizes of the security parameters. This attack 
was implemented and found successful on all of hundreds of instances, generated 
using standard distributions. 

The methods, which make the attack applicable to large security parameters, 
come from probabilistic group theory, and deal with permutation groups. About 
half of the paper is dedicated to a new algorithm for finding short expressions of 
permutations as words in a given set of randomly chosen permutations. This al- 
gorithm solves efficiently instances which are intractable using previously known, 
provable or heuristic, techniques. 

2. The Algebraic Eraser scheme 

We describe here the general framework. The concrete realization will be 
described later. 

2.1. Notation, terminology, and conventions. A monoid is a set M with 
a distinguished element 1 e M, equipped with an associative multiplication 
operation for which 1 acts as an identity. Readers not familiar with this notion 
may replace "monoid" with "group" everywhere, since this is the main case 
considered here. 

Let G be a group acting on a monoid M on the left, that is, to each g & G 
and each a e M, a unique element denoted % e M is assigned, such that: 



(1) = a; 

(2) aha = and 

(3) s(a6) = % . % 

for all a,b e M,g,h e G. 
M X G, with the operation 



is a monoid denoted M x G. 

Let N he a, monoid, and ip : M ^ N a, homomorphism. The algebraic eraser 
operation is the function ic : {N x G) x {M x\ G) ^ {N x G) defined by 



{a,g) o = {a-%gh), 




(2) ((a, g) ^ {b, h)) ^ (c, r) = (a, g) ^ ((6, h) o (c, r)) 
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for all (a, g) e N x G, {b, h), (c, r) e M x G. 
Submonoids A, B of M x G are -k-commuting if 

(3) (<^(a), ^) ^ h) = {ip{b), h) -k (a, g) 

for all {a,g) G A, (6, /i) G -B. In particular, if A,B Tkr-commute, then 

for all (a, g) G A, (6, /i) G -B. 

2.1.1. Didactic convention. Since the actions are superscripted, we try to mini- 
mize the use of subscripts. As a rule, whenever two parties, Alice and Bob, are 
involved, we try to use for Bob letters which are subsequent to the letters used 
for Alice (as is suggested by their names). 

2.2. The Algebraic Eraser Key Agreement Scheme. 

2.2.1. Public information. 

(1) A positive integer m. 

(2) ^-commuting submonoids A, B of M x G , each given in terms of a gen- 
erating set of size k. 

(3) Element-wise commuting submonoids G, D of A^. 

2.2.2. The protocol. 

(1) Alice chooses c G C, (ai, gi), . . . , (a^, gm) G A, and sends 

(p, g) = (c, 1) -k (ai, gi)'k----k (a„, gm) & N x G 

(the ^-multiplication is carried out from left to right) to Bob. 

(2) Bob chooses d E D, (6i, hi), . . . , (&„, hm) G B, and sends 

(g, h) = {d, 1) k {bi, hi)k---ic {b^, hm) e N x G 

to Alice. 

(3) Alice and Bob compute the shared key: 

(eg, h) k (ai, gi)'k---k {am, gm) = 

= {dp,g)k{bi,hi)k---'k{bm,hm). 

We will soon explain why this equality holds. 

For the sake of mathematical analysis, it is more convenient to reformulate this 
protocol as follows. The public information remains the same. In the notation 
of Section 2.2.2 define 

{a,g) = {ai,gi) o ■ ■ ■ o {am,gm) e A; 

{b,h) = {bi,hi) o ■ ■ ■ o {bm,hm) e B. 
By Equations ^ and ([!]), Alice and Bob transmit the information 

iP,9) = ic,l)'k{ai,gi)'k---k{am,gm) = ic,l)k{a,g) = {c(p{a),g); 
{q,h) = {d,l)k{bi,hi)k ■ ■ -k {bm,hm) = {d,l)k{b,h) = {d(f{b),h). 
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Using this and Equation (|3]), we see in the same manner that the shared key is 

(eg, h) -k (a, g) = {cq(p{^a), hg) = 
= {cdip{b)ip{''a), hg) = {dc^{a)ip{%), gh) = 
= {dpip{%),gh) = {dp, g) -k {b, h). 

2.3. When M is a group. In the concrete examples for the Algebraic Eraser 
scheme, M is a group [2]. Consequently, M x G is also a group, with inversion 

{a,g)-' = {^-\-\g-') 

for all (a, ^) G M x G. 

3. A GENERAL ATTACK ON THE SCHEME 

We will attack a stronger scheme, where only one of the groups A or i? is 
made public. Without loss of generality, we may assume that A is known. A 
is generated by a given fc-element subset. Let (oi, Si), . . . , (a^, s^) G M x G be 
the given generators of A. Let 5* = {si, . . . , s^}. S^^ denotes the symmetrized 
generating set {si, . . . , s^, s]"\ . . . , s^^}. 

3.1. Assumptions. 

3.1.1. Distributions and complexity. Alice and Bob make their choices according 
to certain distributions. Whenever we mention a probability, it is meant with 
respect to the relevant distribution. All assertions made here must hold "with 
significant probability" and the generation of elements must be possible within 
the available computational power. We will quantify our statements later. 

Assumption 1. It is possible to generate an element {a, 1) E A with a 1. 

Assumption [l] is equivalent to the possibility of generating {a, g) E A such 
that the order o of 5^ in G is smaller than the order of {a, g) in M x G. Indeed, 
in this case {a,gy is as required. 

Assumption 2. is a subgroup of GL„(F) for some field F and some n. 
We do not make any assumption on the field F. 

Alice generates an element (a, g) G A, and in particular she generates g in the 
subgroup of G generated by S. 

Assumption 3. Given g G (S), g can be explicitly expressed as a product of 
elements of S^^. 



3.2. The attack. 
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3.2.1. First phase: Finding d and ip{h) up to a scalar. C,D commute element- 
wise. Use Assumption [l] to get a nontrivial (a, 1) G A. By ^-commutativity of 
(a, 1) with {b,h), we have that (p{a)(p(\)) = ip{a)ip{b) = ip{b)ip{^a), where only 
ip{b) is unknown. Writing ui = v?(a), 1^2 = V^C^ct), we summarize this by 

(4) i^iffib) = ^{b)v2 

Now, q = dip{b) is a part of the transmitted information. Substituting (p{b) = 
d~^q in Equation (|4]), we obtain Uid~^q = d~^qh'2, and therefore 

dui = usd 

where 1/3 = qi'2(l~^- Now, choose a generic element 7 G C Then 

d'j = •yd. 

We obtain 2n^ equations on the entries of d. As standard distributions were 
used to generate the keys, we expect that with overwhelming probability, the 
solution space will be one-dimensional. (As this is a homogeneous equation and 
the matrices are invertible, the solution space cannot be zero-dimensional.) If it 
is accidentally not, we can generate more equations in the same manner. 

Thus, we have found xd for some unknown scalar x G F. Now use our knowl- 
edge of g = dip{b) to compute 

{xd)~^q = — d~^q = - ip{b). 
In summary: We know xd and x^^(f{b), for some unknown scalar x G F. 

3.2.2. Second phase: Generating elements with a prescribed G-coordinate and ex- 
tracting the key. Using Assumption|3| find ii, . . . , G {1, . . . , fc} and ei, . . . , G 
{1, —1} such that 

9 = ^---^. 

Compute 

{a,g) = (ai^,SiJ'i o ■■ ■ o {ai^, Si^Y' G A. 
a may or may not be equal to a. 

Remark 4. If M is generated as a monoid, the expression in Assumption [3] should 
be as a product of elements of S. In the cases discussed later in this paper, G = Sn 
and the methods of Section |5] can be adjusted to obtain positive expressions 
(Remark [7]). 

By ^-commutativity of {a,g) and {b,h), {p{b)ip{^a) = ip{a)ip{%), and thus we 
can compute 

x-^^p{%) = ip{a)-\x-^ip{b))ip{^a). 

We are now in a position to compute the secret part of the shared key, using 
Equation (|4]): 

{xd)p{x-^<^{%)) = dp^{%). 

The attack is complete. 
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4. Cryptanalysis of CBKAP 

Anshel, Anshel, Goldfeld, and Lemieux propose in [2] an efficient concrete 
realization which they name Colored Burau Key Agreement Protocol (CBKAP). 
We give the details, and then describe how our cryptanalysis applies in this case. 



4.1. CBKAP. CBKAP is the Eraser Key Agreement scheme in the following 
particular case. Fix a positive integers n and r, and a prime number p. 

(1) G = Sn, the symmetric group on the n symbols {1, . . . ,n}. Sn acts on 
GL„(Fp(ti, . . . , tn)) by permuting the variables {ti, . . . , tn}- 

(2) N = GK{¥p). 

(3) M X is the subgroup of GL„(Fp(ti, . . . x Sn, generated by (xi, Si), 
. . . , Sn-i), where Sj is the transposition {i, i + I), and 

/I \ 



Xi 



/-h 1 

1 



V 



\ 



1/ 



1 
ti 






-ti 1 

1 



V 1/ 

for i = 2, . . . , n — 1. Only the ith. row of Xi differs from the corresponding 
row of the identity matrix. The colored Burau group M x G is a repre- 
sentation of Artin's braid group -B„, determined by mapping each Artin 
generator cXj to {xi, Si), i = 1, . . . ,n — 1. 
(4) : M — GL„(Fp) is the evaluation map sending each variable ti to a 
fixed element G Fp. 



(5) C = D 



is the group of matrices of the form 



with K G GL„(Fp) of order — 1, £i, . . . , G Fp, and ji, . . . ,jr E 1^. 
Commuting subgroups of M x G are chosen once, by a trusted party, as follows: 

(1) Fix Ji, /2 C {1, . . . ,n — 1} such that for all i E Ii and j G /2, K — j| > 2. 

and 1 are both < n/2. 

(2) Define L = {ai : i E h) and U = {aj : j G I2), subgroups of Bn generated 
by Artin generators. 

(3) L and U commute element-wise. Add to both groups the central element 
A2 of Bn. 

(4) Choose a random z E Bn. 

(5) Choose Wi, . . . , Wfc G zLz~^, Vi, . . . ,Vk E zU z^'^, each a product of t-many 
generators. Transform them into Garside left normal form, and remove all 
even powers of A. Reuse the names wi, . . . ,Wk,vi, . . . ,Vk for the resulting 
braids. 
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(6) Let p : i?„ M x Sn be the colored Burau representation function. A, B 
are the subgroups of p{zLz~^), p{zUz~^) generated by p{wi), . . . ,p{wk), 
and by p(f i), . . . , p(ffc), respectively. 

(7) wi, . . . , Wk, vi, . . . ,Vk are made public. 

Recall that to carry out our attack, it suffices to assume that one set of generators, 
p{wi), . . .,p{wk) or p{vi), . . .,p{vk), is given. 



4.2. The attack. Assumption |2| that is a subgroup of GL„(F) for some 
field F, is a part of the definition of CBKAP. We consider the remaining ones. 
As the distribution used in CBKAP are not specified in 1*2] , we assume standard 
distributions in all of our attacks: Whenever, in the above descriptions, a product 
of a fixed number of elements of a set is required, we chose all of the elements 
independently and uniformly at random from that set. We then proceeded as 
instructed (for example, by reducing the powers of as mentioned above). 



4.2.1. Regarding Assumption^ This assumption amounted to: It is possible to 
generate, efficiently, an element {a, a) E A such that the order o of cr is smaller 
than that of {a, a). 



In the notation of Section 4.1, {i,i + 1 : i E h} decomposes to a family X of 



maximal intervals = {i,i + 1, . . . ,£}, and X][i£]ej^ — i + 1 < n/2. Now 



ei 



Each considered s is a permutation induced by the braid A'^"^zwz ^ with w E L. 
Let 7T : Bn ^ Sn he the canonical homomorphism. Then 



n{A'^"'zwz-^) = n{A'^)"'7r{z)7i{w)n{z)-^ = n{z)7r{w)7r{z)-\ 



is conjugate to tt{w). On each component, this is a product of many random 
transpositions, and is therefore an almost uniformly-random permutation on that 
component. We therefore have the following: 

(1) U/ (A^) decomposes into a direct sum of braid groups, whose indices do 
not sum up to more than n/2. 

(2) tt{U) decomposes into a direct sum of symmetric groups, whose indices 
do not sum up to more than n/2. 

(3) For generic (a, s) E A, 7r{z)~^sTT{z) is generic on each part of the men- 
tioned decomposition. 

The probability that the order of a random permutation in Sn is < n is 0(1/ 

[5] . Thus, we can find an element (a, s) E A with s of order < n by generating 

(roughly A^n) elements (a, s) E A, until the order of s is as required. 

On the other hand, the element (a, s) is a representation of an element of the 
braid group, which is known to be torsion- free While the representation 
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used here may be unfaithfulj^ it is very unlikely that (a, s) could have finite 
order. 

The remainder of this paper is dedicated to Assumption [3j 

5. Membership search in generic permutation groups 

For the second phase of our attack, it suffices to find a short expression of 
a given permutation in terms of given random permutations. Much work was 
carried out on this topic, by Babai, Beals, Hetyei, Hayes, Kantor, Lubotsky, 
Seress, and others (see P, IH E] and references therein). Our approach is a 
heuristic shortcut for some of the ideas presented in these works. It performs 
surprisingly well on random instances of the problem. 

Problem 5. Given random si, . . . ,Sk G Sn and s G (si, . . . ,Sk), express s as a 
short product of elements from {si, . . . , s^}^^. 

In Problem [5} short could mean of polynomial length, or of length manageable 
by the given computational power as explained above. In any case, the length 
is the number of letters in the expression, and not the length of a compressed 
version of the expression. This limitation comes from the intended application, 
where we actually need to perform one ★ multiplication for each letter in the 
word. If the word is too long (e.g., of the form a^"^ ^ for a single generator a), 
this becomes infeasibleEl 

For concrete generators. Problem |5] is well known, and in similar form occurs 
in the analysis of the Rubik's cube and other puzzles. The best known heuristics 
for solving it in these cases are based on Minkwitz's algorithms [13], and are 
incapable of managing Problem |5] for random si, . . . , G Sn where n is large 
(say, n > 128), as experiments show. 

A classical result of Dixon [7] tells that two random elements of Sn, almost 
always generates An (if all generators are even permutations) or Sn (otherwise). 
Babai proved that getting An or Sn happens in probability 1 — 1/n + 0{l/n^) 
[3]. Moreover, experiments show that this probability is very close to 1 — l/n 
even for small n, i.e., the 0(l/n^) is negligible also for small n. In particular, 
the probability that k random permutations do not generate An or Sn is (over- 
estimated by) at most which is small for large n and negligible for large 
k. 

Given that we obtain An or Sn, the probability of the former case is 2~'^. 
However, since /c = 2 is of classical interest, we do not neglect this case. 

Thus, for randomly chosen permutations Problem [s] reduces (with a small loss 
in probability) to the following one. 

^It is open whether the colored Burau representation is faithful, even without reduction of 
the integers modulo p. 

^The natural algorithm of repeated squaring does not help in the mentioned example: If a 
is a braid or its colored Burau representation, then each squaring makes a more complicated 
and the computation quickly becomes infeasible. The * operation avoids this problem, but 
does not admit an efficient analogue of squaring. 
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Problem 6. 

(1) Given random s, si, . . . , Sk G An, express s as a short product of elements 
from {si,.. .,Sk}^^. 

(2) Given random s, Si, . . . , G S'„ with some Si ^ An, express s as a short 
product of elements from {si, . . . , Sk}^^- 



A solution of Problem [6[1) implies a solution of Problem [6[2): Let I = {i : 
Si ^ An}. / 7^ 0. Fix io G /, and for each i & I, replace the generator Sj with 
the generator Si^Si G An- Then {si^Si : 2 G /} U {sj : i ^ /} is a set of k nearly- 
random elements of An (cf. [5J). If s G An, use (1) to obtain a short expression 
of s in terms of the new generators. This gives an expression in the original 
generators of at most double length. Otherwise, Si^s G An and its expression 
gives an expression of s in terms of the original generators. 

Thus, in principle one may restrict attention to Problem |6](1). However, we 
do not take this approach, since we want to make use of transpositions when we 
can. 

5.1. The algorithm. 

5.1.1. Gonventions. 

(1) During the algorithm's execution, the expressions of some of the com- 
puted permutations in terms of the original generators should be stored. 
We do not write this explicitly. 

(2) The statement for each r G (5*) means that the elements of (S) are 
considered one at a time, by first considering the elements of S^^, then 
all (free-reduced) products of two elements from S^^, etc. (a breadth-first 
search), until an end statement is encountered. 

(3) For s G (S*^^)*, len(s) denotes the length of s as a free-reduced word, s 
is identified in the usual way with the permutation which is the product 
of the letters in s. 

(4) For s G Sn, deg(s) = \{k : s(A;) ^ k}\. 

We are now ready to describe the steps of our algorithm. We do not consider 
the question of optimal values for the parameters and other optimizations. This 
is left for future investigation. 

Input: G = Sn or An] generators si, . . . , of G; s G G. 
Initialization: i = n; 

c = 

Step 1: Find a short c-cycle in (si 
t ^ 0. 

For each r G (si, . . . , Sk): 
For each m = 1, . . . ,i: 
If deg(r'^) = c: 
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End Step 1. 

The result of Step 1 is forwarded to the next step. 
Step 2: Find short expressions for additional c-cycles. 
Case c = 2: 

For each r G (si, . . . , s^): 

If vr was not encountered before, store it. 

If enough 2-cycles were found to present s by a short product 

of these, end Step 2. 

Case c = 3: 

If S ^ An. 

Choose Si G {si, . . . , Sk} such that ^ An] 
a ^ SiS. 
Otherwise, a <— s. 

For each r G (si, . . . , s^): 

If TT was not encountered before, store it. 

If enough 3-cycles were found to present a by a short product 
of these. End Step 2. 

Final step: Find a short expression for s. 

Present s (or a) as a product of the found cycles. Use the expressions of these 
cycles to get an expression of s in terms of the original generators. 

Remark 7 (Positive expressions) . If s belongs to the monoid generated by {si, . . . , s^}, 
we can adjust our algorithm to obtain a positive expression of s: Use only Step 
1 (many times) to generate enough c-cycles to present s, where in this step, con- 
sider only words r G S**. This algorithm is more time consuming, but should 
still be successful in such scenarios. We do not pursue this direction here, since 
in CBKAP all involved algebraic objects are groups. 

Remark 8 (Apphcability to CBKAP). In CBKAP, G typically has the form n~^H 
^ Sn, where n E Sn, H is Sn/2 or An/2, and H is embedded in Sn in a natural 
way (supported by the n/2 higher indices). The conjugation is just relabelling 
of the indices 1, . . . ,n. Thus, the algorithm applies without change to this case 
either. Modifications of the algorithm can be made, that will make it applicable 
to any (conjugation of) direct sum of groups of the form An or Sn- 

6. Analysis of the generic membership search algorithm 

6.1. An idealized model. For the heuristic estimations throughout this sec- 
tion, we make an optimistic assumption, whose consequences we verify experi- 
mentally later. This assumption is similar to one which was proved in [5]: For 
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random a,r G Sn, the lengths of the first cycles of a, ar, ar'^, . . . , ar^ are pair- 
wise nearly independent for i < r?,('^/32-o(i))iog"_ However, a complete proof of 
our assumption would make a substantial breakthrough, since the state of the 
art provable algorithms, which can be deduced from [5J and are more com- 
plicated, and their running time is 0(n^logn). 

Assumption 9 (Near independence of enumerated elements). Let k > 2. For 
random, independently chosen si, . . . ,Sk G Sn, list the elements of (si, . . . , s„) 
by first listing the elements of {si, . . . , s^, s]"^, . . . , s^^}, then all products of two 
elements from {si, . . . , s^}^^ (which were not already listed), etc., to generate a 
sequence of desired length M. 

We assume that for some non-negligible positive a < 1 {a may depend on n, 
but should not decrease quickly), the generated sequence contains a subsequence 
of aM elements, which looks (for the purposes of our analysis) like a sequence of 
aM random, independently chosen, elements of Sn- We call a the density factor 
for breadth-first search. 

Assumption [9] is clearly true when k > M, but we usually apply it in cases 
where k is much smaller than M. In such cases, the density a cannot be 1, since 
e.g. the beginning of the sequence Si, . . . , Sk, s^^, . . . , s^^ does not look random, 
even for some of our purposes. For simplicity, we carry out the analysis as if 
a = 1. We name this model the idealized model. This means that actually, the 
resulting estimations on the required number of listed permutations should be 
multiplied by > 1. 

6.2. Step 1. The following terminology and lemma will make the proof of the 
subsequent theorem shorter. The cycle structure of a permutation s & Sn is the 
sequence {ni,n2, . . . ) of lengths of cycles of s which are not fixed points. Let 
<^?„ „ ^ denote the number of elements of Sn with cycle structure (ni, . . . , rifc). 

Lemma 10. cr^ 



(ni,...,nfc) (n-(niH hnfc))!-ni---rafc ' 

Proof. First choose the ni + ■ ■ ■ + elements which will occupy the cycles and 
consider all their permutations, and then divide out cyclic rotation equivalence, 
to get 

■ (^1 H hrifc)! . 

^rii H h UkJ ni ■ ■ ■ Uk 

This is clearly equal to cr"^^ □ 

Proposition 11. Let c be 2 if G = Sn, and 3 if G = An. For random t E G, the 
probability that there is d E {I, . . . ,n} such that t'^ is a c-cycle is greater than 
1/cn. 

Proof. In fact, we give better bounds for most values of n. We consider the 
probabilities to have cycle structures (n — d, c) or (n — d, e, c) for appropriate d, 
such that if r has such a cycle structure, then r"~'^ is a c-cycle. The restrictions 
on the cycle structures follows. 
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(1) c does not divide n — d; and 

(2) e divides n — d {in the case {n — d,e,c)). 

In the case G = An, we also must have that the cycle structure is possible in A^. 

(3) n — d is odd (in the case {n — d,3)); 

(4) n — d + e is even (in the case {n — d,e,3)). 

Assuming these restrictions, we compute the probabilities of these cycle struc- 



tures using Lemma 10 In Sn, the probability for (n — d, 2) is 
1 . 1 1 



> 



\Sn\ ^""'^•'^ {d-2)\-{n-d)-2^ {d-2)\-2n 
In An, the probabihties for (n — d, 3) and {n — d, e, 3) are 
1 „ 2 2 



\Ar 



a 



(n—d,3) 



{d-3)\ 



{n — d) ■ 3 
2 



> 



{d-3)\-3n 

> 



\An\ ("-'^'"'^^ id-e-3)\-{n-d)-e-3^ id-e-3)\-3en 

respectively. We now consider some possible cycle structure, and describe the 
restrictions they pose on n and their probabilities. Let m = 2 if G = S'„, and 6 
if G = Ar,. We write the restriction on n as n mod m. 



Group 


n mod m 


Cycle structure 


Prob. 


Accumulated prob. 







[n - 3,2) 


l/2n 








(n-5,2) 


l/6n 


7/12n 




1 


{n - 2,2) 


l/2n 








(n-4,2) 


l/4n 


3/4n 







{n — 5, 3) 


l/3n 


l/3n 




1 


(n-5,2,3) 


l/3n 








{n — 6, 3) 


l/9n 


4/9n 




2 


{n — 3, 3) 


2/3n 








(n-6,2,3) 


l/3n 


1/n 




3 


(n-4,3) 


2/3n 








(n-5,2,3) 


l/3n 








(n-7,2,3) 


l/6n 


7/6n 




4 


(n — 3, 3) 


2/3n 








(n — 5, 3) 


l/3n 








(n-6,2,3) 


l/3n 


4/3n 




5 


(n-4,3) 


2/3n 








{n — 6, 3) 


l/9n 








(n-7,2,3) 


l/6n 


17/18n 



This completes the proof. 



□ 



Corollary 12. Let c be 2 if G = Sn, and 3 if G = An- Execute Step 1 with 
random elements r & G instead of the enumerated ones. The probability that it 
does not end before considering An permutations is smaller than e~'^l'^ . 
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Proof. By Proposition 11, the probability of not obtaining a c-cycle for Xn ran- 
domly chosen r G G is at most 

An / / 1 \ ' ^ 

1 1 ] < (6-1)^=6"^. □ 



cn J W cn J 
Example 13. Let c be 2 if G = and 3 if G = y4„, and A = cAologn for some 



constant Aq- Then the probability in Proposition 12 is smaller than 

e ^ — = 72"-^°. 

Corollary 14. Let c be 2 if G = Sn, and 3 if G = An. Consider Step 1 in the 
idealized model. The average number of r considered in this step is smaller than 
cn. □ 

6.3. Step 2. We consider the most simple interpretation for "enough c-cycles 
were found to present s by a short product" : Present s as a product of at most 
n/{c — 1) c-cycles in some canonical way. Then repeat Step 2 until all these 
c-cycles were found. 

Proposition 15. Execute Step 2 with random elements t & G instead of the 
enumerated ones. Let c = 2 if G = Sn, and 3 if G = An. The average number of 
elements considered in this step is smaller than (n'^/c) ■ (logn + 2). 

Proof. Each conjugation of a c-cycle by a random permutation gives a random 
c-cycle. Let cr" be the number of c-cycles in Sn- = ''^('^ ~ l)/2, and (J2 = 
n{n — l){n — 2)/3. In any case, a" < n^/c. 

To obtain all c-cycles in a prescribed list of k out of elements, we wait on 
average: N/k steps to obtain the first element, N/{k — 1) steps to obtain the 
second element, etc. Now, 

1 



t ^ ' t 

i=k 1=1 

where Hk < log A; -|- 2 is the kth Harmonic number. 

In our case, k is the number of c-cycles in a canonical decomposition of a 
permutation, and thus k < n, and is the number of c-cycles in Sn, and 
therefore N < n'^/c. Thus, 

NHk < —{2 + \ogn). □ 

c 

Corollary 16. The average running time of the generic membership search al- 
gorithm, in the idealized model, is 0{n^logn) if G = Sn, and 0(?T,''logn) if 

G = An. 

Proof. Let c = 2 if G = Sn, and 3 if G = An- Step 2 consumes most of the time. 



and requires by Proposition 15 0{n'^\ogn) operations on permutations. Each 
operation on permutations requires 0{n) elementary operations. Together, we 
have 0(n'^"'"^ logn) elementary operations. □ 
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The constants in the estimations of Corollary 16 are not big, as can be seen 
by inspection of Step 2. 



we can 



6.4. The expression's length. Using Corollary 14 and Proposition 15, 
derive a rough upper bound on the average length of the expression provided by 
the generic membership search algorithm, assuming that reality is not far from 
the idealized model (we verify this experimentally below). 



By Corollary 14, Step 1 uses on average at most cn permutations until finding 
a good one r. If r is the cn-th permutation in our breadth-first enumeration of 
(si, . . . , Sfc), then its length d as a word in the generators satisfies 

{2k - ly-^ < 2k{2k - ly-^ < cn 

(there are 2k{2k — lY~^ free-reduced words of length d). Thus 

len(r) < J^^^ ^ , 
^ ' - \og{2k - 1) 

Then, is at most an n-th power of r. Thus on average, 

/ N / log(cn) 
en u < n - — ^) ' , + 1 



Then, by Proposition 15 , about {n^ / c) log n permutations r are generated, and 
the c-cycles T~^fiT are computed. The average length of the generated r-s is thus 
estimated by 

log( (n^/c) log n) clogn 
- \og{2k - 1) log(2A;-l)' 

In the last approximation there is less need for precision, since in any case, 
len(r"V^) < len(/i) + 21en(r) < n - — ^) ' + 2 



\og(2k 

Less than n/ (c — 1) c-cycles are needed to present the given permutation. Thus, 
the average length of the resulting expression is bounded by 

n , , 1 , f log(cn) 

len(r- Vr) < z — ft) \. + 2 



c-1 ' ' - c-1 \\og{2k-l 

Corollary 17. Assuming that the idealized model is a good approximation to 
reality, the average length of the expression provided by the algorithm is not 
much more than 

( log(cn) , ^ 

111— 0[pf' \Qgn) 



c-1 Vlog(2A;- 1) 

where c = 2 if G = Sn, and c = 3 if G = An- □ 
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Example 18. For k = 2 and n = 2™, the estimation in Corollary 17 is: 

22m /log(c2™) 



c- 1 



log 3 



C- 1 

0.63 



log(c2") _ 22'"log3(c2"^) _ 22'"(m + 1) logg 2 
log 3 

(m + 1)2 



c- 1 



c- 1 



2m 



c- 1 

up to a multiplicative factor close to 1. 

7. Experimental results 

Following are experimental results, which indicate to which extent our idealized 
model for estimating the performance of the generic membership search algorithm 
is correct. The most difficult case for this algorithm is where there are only k = 2 
random generators Si, 32- Thus, all of our experiments were conducted for k = 2. 

7.1. Assumption |9j The density factor a. We assumed that for random, 
independently chosen si, . . . ,Sk G Sn, when M elements of (si, . . . , s„) are gen- 
erated in a breadth-first manner, the resulting sequence of M elements is as good 
for our purposes as a sequence of aM random permutations, where a is not very 
small (though it may depend on n). 

For various values of n, and for G = Sn or An, we have calculated the average 
number of permutations considered in Step 1, in the idealized model (an imple- 
mentation using random permutations), and in the real model. Table [l] presents 
the ratio between them, i.e., 1/a, obtained using 100 experiments. We observe 
that the density a decreases with n, but very slowly. 

Table 1 . Average value of 1/a 



n 


8 


16 


32 


64 


128 


256 


Sn 


4.64 


5.94 


7.4 


8.54 


10.72 


13.56 


An 


2.51 


4.24 


6.36 


8.04 


9.52 


11.56 



Even for n = 256, the real sequence need only be 12 times longer than the 
required sequence of independent random permutations. In the additional place 
where Assumption [9] was used, a was not far from 1/2. 



7.2. Conventions. For each n = 8,16,32,64,256, we have conducted at least 
1000 independent experiments altogether. As A; = 2, in about 750 of these 
experiments (si, S2) = Sn, and in about 250, {si, S2) = An- The few cases where 
neither Sn nor An were generated were ignored. 

Each of these many samples suggests a value for the considered parameter. 
We thus present the minimum, average, and maximum observed values (with 
the average boldfaced). We present the ratio between the actual value and the 
analytic estimation obtained in the previous section. The analytic estimations 
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can then be used to obtain the actual numbers. The ratios are quite good, and 
the analytic estimations are likely to be good for all values of n. 
In all discussions below c is 2 if G = S'„, and 3 if G = y4„. 



7.3. Step 1. The ratio between the number of permutations considered in Step 
1 and the estimation cn in Corollary 14 is given in Table [2] 



Table 2. Ratios for the number of permutations in Step 1. 



n 


8 


16 


32 


64 


128 


256 




0.06 


0.03 


0.02 


0.01 










2.26 


2.53 


3.47 


5.05 


5.4 


8.55 




112.13 


45.88 


25.22 


102.81 


52.62 


77.31 




0.04 


0.02 


0.01 


0.01 


0.01 







0.51 


0.51 


1.35 


1.28 


2.56 


1.9 




7.63 


4.15 


15.5 


7.73 


12.65 


17.5 



7.4. Step 2. Table |3] gives the ratio between the number of permutations con 
sidered in Step 2, and the estimation {n'^/c) ■ (logn + 2) in Proposition 15 

Table 3. Ratios for the number of permutations in Step 2. 



n 


8 


16 


32 


64 


128 


256 




0.11 


0.23 


0.44 


0.87 


0.59 


0.48 




2.32 


1.65 


1.59 


1.36 


1.53 


1.35 




261.78 


20.38 


13.17 


8.38 


5.41 


4.12 




0.06 


0.19 


0.21 


0.21 


0.56 


0.19 




2.47 


1.3 


1.17 


1.25 


1.23 


1.33 




144.71 


17.83 


5.57 


5.12 


5.11 


2.04 



The striking observation is that here, the density factor a is very good, and 
in fact improves with n. As Step 2 is the most time consuming part in our 
algorithm, this means that the overall running time is close to the one predicted 
in the idealized model. 

7.5. Length of the final expression. The average length of the final expres- 



model, below 



sion of the given permutation is estimated in Corollary 17 to be, in the idealized 

log(cn) 



n 



+ 2 



1 Vlog(2A; - 1) 

Table |4] shows that this estimation is surprisingly good, and that in fact, the true 
resulting length is on average better than the theoretically estimated one. 

The actual lengths of the expressions produced for the given permutations are 
given in Table [5j For clarity, the average lengths are rounded to the nearest 
integer. 
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Table 4. Ratios for the length of the final expression. 



n 


8 


16 


32 


64 


128 


256 




0.06 


0.11 


0.11 


0.1 


0.12 


0.13 




0.26 


0.44 


0.56 


0.73 


0.79 


0.9 




0.95 


0.95 


1.07 


1.26 


1.24 


1.25 


A-n 


0.08 


0.08 


0.08 


0.04 


0.03 


0.04 




0.31 


0.37 


0.54 


0.6 


0.74 


0.74 




0.6 


0.8 


1.1 


0.96 


1.08 


1.09 



Table 5. Expression lengths using the generic membership search algorithm. 



n 


8 


16 


32 


64 


128 


256 




16 


148 


674 


2603 


14357 


65063 




76 


580 


3331 


19078 


91120 


450450 




275 


1258 


6344 


33015 


143344 


631306 


A-n 


13 


54 


248 


504 


1640 


9258 




48 


261 


1698 


8328 


44739 


195534 




94 


564 


3454 


13328 


65354 


286628 



For comparison, we looked for expressions of permutations as short products, 
using gap's Schreier-Sims based algorithm (division off stabilizer chains), which 
uses optimizations similar to Minkwitz's [13]. Here, we have 100 experiments for 
Sn and 100 experiments for An- Already for n = 32, the routines went out of 
memory in about 1/3 of the cases for An, and in about 2/3 of the cases for Sn- 
Thus, we also checked n = 24 and n = 28 (n = 28 is the largest index which the 
routines can handle well). The resulting lengths are shown in Table |6| where oo 
means "out of memory in too many cases" . 

Table 6. Expression lengths using Schreier-Sims methods. 



n 


8 


16 


24 


28 


32 


Sn 


5 


102 


432 


1047 


oo 




22 


255 


8039 


345272 


oo 




42 


418 


350846 


32729135 


oo 







95 


549 


913 


oo 




18 


238 


4101 


59721 


oo 




29 


413 


35447 


4012292 


oo 



We can see that Schreier-Sims methods are better than ours only for small 
values of n. Also, note the large difference between the minimal and the maximal 
obtained lengths. Contrast this with the results in Table [5j 
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8. Possible fixes of the Algebraic Eraser and challenges 

As we have demonstrated, no choice of the security parameters makes the 
Algebraic Eraser immune to the attack presented here, as long as the keys are 
generated by standard distributions. 

A possible fix may be to change the group S into one whose elements do not 
have short expressions in terms of its generators. This may force the attacker 
to attack the original matrices (whose entries are Laurent polynomials in the 
variables tj) directly, using linear algebraic methods similar to the ones presented 
here. It is not clear to what extent this can be done. 

The most promising way to foil our attacks, at least on a small fraction of 
keys, may be to use very carefully designed distributions, which are far from 
standard ones. Following our attack, Dorian Goldfeld found a distribution for 
which the equations in phase 1 of the attack have a huge number of solutions, 
and not all of these solutions lead to the correct shared key. This may lead to a 
system resisting the type of attacks presented here. 

Another option would be to work in semigroups, and use noninvertible matri- 
ces. This may foil the first phase of our attack. 

The generic membership search algorithm is of interest beyond its applicabil- 
ity to the Algebraic Eraser. We have demonstrated, by an idealized analysis 
supported by experiments, that this algorithm easily solves instances with ran- 
dom permutations, in groups of index which is intractable when using previously 
known techniques like those in [T3] . 

The most interesting direction of extending the present work seems to be a 
rigorous analysis, in the real model, of this algorithm. This would be a math- 
ematical breakthrough, since the state of the art provable algorithms, despite 
being more sophisticated, have running time 0(n'' log ra), which is not practical 
for n > 128. Alexander Hulpke has informed us that our methods are similar 
to ones used for constructive recognition of Sn or An- This connection may be 
useful for the proposed analysis. 

Finally, we point out that even without changes, our algorithm applies in many 
cases not treated here. Experiments of the full attack succeeded to extract the 
shared key correctly in all tested cases, including some in which the index of the 
generated subgroup of Sn/2 was greater than 2. 
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